Home Page Icon
Home Page
Table of Contents for
Index
Close
Index
by Microsoft Corporation
Building Secure Microsoft® ASP.NET Applications
Building Secure Microsoft ASP.NET Applications: Authentication, Authorization, and Secure Communication
A Note Regarding Supplemental Files
Acknowledgements
Preface
Why We Wrote This Book
Who Should Read This Book?
How You Should Read This Book
Organization of this Book
Part I, Security Models
Part II, Application Scenarios
Part III, Securing the Tiers
Part IV, Reference
System Requirements
Installing the Sample Files
Building Secure ASP.NET Applications—Online Version
Support
1. Introduction
The Connected Landscape
The Foundations
Authentication
Authorization
Secure Communication
Tying the Technologies Together
Design Principles
Summary
2. Security Model for ASP.NET Applications
.NET Web Applications
Logical Tiers
Physical Deployment Models
The Web Server as an Application Server
Remote Application Tier
Implementation Technologies
Security Architecture
Security Across the Tiers
Authentication
ASP.NET Authentication Modes
More Information
Enterprise Services Authentication
More Information
SQL Server Authentication
More Information
Authorization
ASP.NET Authorization Options
More Information
Enterprise Services Authorization
More Information
SQL Server Authorization
More Information
Gatekeepers and Gates
Introducing .NET Framework Security
Code Access Security
Evidence and Security Policy
CAS and ASP.NET Web Applications
Principals and Identities
The IPrincipal and IIdentity Interfaces
WindowsPrincipal and WindowsIdentity
GenericPrincipal and Associated Identity Objects
ASP.NET and HttpContext.User
ASP.NET Identities
More Information
Remoting and Web Services
Summary
3. Authentication and Authorization Design
Designing an Authentication and Authorization Strategy
Identify Resources
Choose an Authorization Strategy
More Information
Choose the Identities Used for Resource Access
Consider Identity Flow
Choose an Authentication Approach
More Information
Decide How to Flow Identity
More Information
Authorization Approaches
Role Based Authorization
Resource Based Authorization
Resource Access Models
The Trusted Subsystem Model
Fixed Identities
Using Multiple Trusted Identities
The Impersonation / Delegation Model
Choosing a Resource Access Model
Advantage of the Impersonation / Delegation Model
Disadvantages of the Impersonation / Delegation Model
Advantages of the Trusted Subsystem Model
Disadvantages of the Trusted Subsystem Model
Flowing Identity
Application vs. Operating System Identity Flow
Impersonation and Delegation
Impersonation
Delegation
Role-Based Authorization
.NET Roles
.NET Roles with Windows Authentication
.NET Roles with non-Windows Authentication
Custom IPrincipal Objects
More Information
Enterprise Services (COM+) Roles
SQL Server User Defined Database Roles
SQL Server Application Roles
More Information
.NET Roles versus Enterprise Services (COM+) Roles
Using .NET Roles
More Information
Checking Role Membership
Role Checking Examples
Choosing an Authentication Mechanism
Internet Scenarios
Forms / Passport Comparison
Advantages of Forms Authentication
Advantages of Passport Authentication
More Information
Intranet / Extranet Scenarios
Authentication Mechanism Comparison
Summary
4. Secure Communication
Know What to Secure
SSL/TLS
Using SSL
IPSec
Using IPSec
RPC Encryption
Using RPC Encryption
More Information
Point to Point Security
Browser to Web Server
Web Server to Remote Application Server
Application Server to Database Server
Using SSL to SQL Server
More Information
Choosing Between IPSec and SSL
Farming and Load Balancing
More Information
Summary
5. Intranet Security
ASP.NET to SQL Server
Characteristics
Secure the Scenario
The Result
Security Configuration Steps
Configuring IIS
Configuring ASP.NET
Configuring SQL Server
Configuring Secure Communication
Analysis
Q&A
Related Scenarios
Non-Internet Explorer Browsers
SQL Authentication to the Database
Flowing the Original Caller to the Database
ASP.NET to Enterprise Services to SQL Server
Characteristics
Secure the Scenario
The Result
Security Configuration Steps
Configuring IIS
Configuring ASP.NET
Configuring Enterprise Services
Configuring SQL Server
Configuring Secure Communication
Analysis
Pitfalls
ASP.NET to Web Services to SQL Server
Characteristics
Secure the Scenario
The Result
Security Configuration Steps
Configuring the Web Server (that Hosts the Web Application)
Configuring the Application Server (that Hosts the Web Service)
Configure SQL Server
Configuring Secure Communication
Analysis
Pitfalls
Q&A
Related Scenarios
ASP.NET to Remoting to SQL Server
Characteristics
Secure the Scenario
The Result
Security Configuration Steps
Configuring the Web Server
Configure the Application Server
Configure SQL Server
Configuring Secure Communication
Analysis
Pitfalls
Related Scenarios
Flowing the Original Caller to the Database
ASP.NET to SQL Server
Using Basic Authentication at the Web Server
Using Integrated Windows Authentication at the Web Server
ASP.NET to Enterprise Services to SQL Server
Characteristics
Secure the Scenario
The Result
Security Configuration Steps
Analysis
Pitfalls
Summary
6. Extranet Security
Exposing a Web Service
Characteristics
Secure the Scenario
The Result
Security Configuration Steps
Configuring the Partner Application
Configuring the Extranet Web Server
Configuring SQL Server
Configuring Secure Communication
Analysis
Pitfalls
Q&A
Related Scenarios
More Information
Exposing a Web Application
Scenario Characteristics
Secure the Scenario
The Result
Configuring the Extranet Web Server
Configuring SQL Server
Configuring Secure Communication
Analysis
Pitfalls
Related Scenarios
No Connectivity from Extranet to Corporate Network
More Information
Summary
7. Internet Security
ASP.NET to SQL Server
Characteristics
Secure the Scenario
The Result
Security Configuration Steps
Configure the Web Server
Configuring SQL Server
Configuring Secure Communication
Analysis
Pitfalls
Related Scenarios
Forms Authentication against Active Directory
More Information
.NET Roles for Authorization
More Information
Using a Domain Anonymous Account at the Web Server
More Information
ASP.NET to Remote Enterprise Services to SQL Server
Characteristics
Secure the Scenario
The Result
Security Configuration Steps
Configure the Web Server
Configure the Application Server
Configuring SQL Server
Configuring Secure Communication
Analysis
Pitfalls
Related Scenarios
Forms Authentication Against Active Directory
More Information
Using DCOM
More Information
Using .NET Remoting
More Information
Summary
8. ASP.NET Security
ASP.NET Security Architecture
Gatekeepers
IIS
ASP.NET
UrlAuthorizationModule
FileAuthorizationModule
Principal Permission Demands and Explicit Role Checks
More Information
Authentication and Authorization Strategies
Available Authorization Options
Windows Authentication with Impersonation
Configurable Security
Programmatic Security
When to Use
More Information
Windows Authentication without Impersonation
Configurable Security
Programmatic Security
When to Use
More Information
Windows Authentication Using a Fixed Identity
When to Use
Forms Authentication
Configurable Security
Programmatic Security
When to Use
More Information
Passport Authentication
When to Use
Configuring Security
Configure IIS Settings
Configure ASP.NET Settings
URL Authorization Notes
URL Authorization Examples
Secure Resources
Locking Configuration Settings
Preventing Files from Being Downloaded
Secure Communication
More information
Programming Security
An Authorization Pattern
Retrieve Credentials
Validate Credentials
Put Users in Roles
Create an IPrincipal Object
Put the IPrincipal Object into the Current HTTP Context
Authorize Based on the User Identity and/or Role Membership
More Information
Creating a Custom IPrincipal class
More Information
Windows Authentication
Identifying the Authenticated User
Forms Authentication
Development Steps for Forms Authentication
Configure IIS for Anonymous Access
Configure ASP.NET for Forms Authentication
Create a Logon Web Form and Validate the Supplied Credentials
More Information
Retrieve a Role List from the Custom Data Store
Create a Forms Authentication Ticket
Create an IPrincipal Object
Put the IPrincipal Object into the Current HTTP Context
Authorize the User Based on User Name or Role Membership
Forms Implementation Guidelines
More Information
Hosting Multiple Applications Using Forms Authentication
More Information
Cookieless Forms Authentication
More Information
Passport Authentication
Configure ASP.NET for Passport authentication
Map a Passport Identity into Roles in Global.asax
Test Role Membership
Custom Authentication
More Information
Process Identity for ASP.NET
Use a Least Privileged Account
Avoid Running as SYSTEM
More Information
Domain Controllers and the ASP.NET Process Account
Using the Default ASPNET Account
The <processModel> Element
Storing Encrypted <processModel> Credentials
More Information
Impersonation
Impersonation and Local Resources
Impersonation and Remote Resources
More Information
Impersonation and Threading
Accessing System Resources
Accessing the Event Log
Accessing the Registry
More Information
Accessing COM Objects
Apartment Model Objects
The AspCompat Directive is Required
More Information
Don’t Create COM Objects Outside of Specific Page Events
More Information
C# and VB .NET Objects in COM+
Accessing Network Resources
Using the ASP.NET Process Identity
More Information
Using a Serviced Component
Using the Anonymous Internet User Account
Hosting Multiple Web Applications
Using LogonUser and Impersonating a Specific Windows Identity
Using the Original Caller
More Information
Accessing Files on a UNC File Share
Accessing Non-Windows Network Resources
Secure Communication
More Information
Storing Secrets
Options for Storing Secrets in ASP.NET
More Information
Consider Storing Secrets in Files on Separate Logical Volumes
Securing Session and View State
Securing View State
Securing Cookies
Securing SQL Session State
Securing the Database Connection String
Securing Session State Across the Network
More Information
Web Farm Considerations
Session State
DPAPI
More Information
Using Forms Authentication in a Web Farm
The <machineKey> Element
The validationKey Attribute
The decryptionKey Attribute
The Validation Attribute
More Information
Summary
9. Enterprise Services Security
Security Architecture
Gatekeepers and Gates
Use Server Applications for Increased Security
Security for Server and Library Applications
Assign Roles to Classes, Interfaces, or Methods
Code Access Security Requirements
Configuring Security
Configuring a Server Application
Development Time vs. Deployment Time Configuration
Configure Authentication
Configure Authorization (Component-Level Access Checks)
Create and Assign Roles
Adding Roles to an Application
Adding Roles to a Component (Class)
Adding Roles to an Interface
Adding Roles to a Method
Register Serviced Components
Populate Roles
Use Windows Groups
More Information
Configure Identity
More Information
Configuring an ASP.NET Client Application
Configure Authentication
More Information
Configure Impersonation
More Information
Configuring Impersonation Levels for an Enterprise Services Application
Programming Security
Programmatic Role-Based Security
Identifying Callers
Choosing a Process Identity
Avoid Running as the Interactive User
Use a Least-Privileged Custom Account
Accessing Network Resources
Using the Original Caller
More Information
Using the Current Process Identity
Using a Specific Service Account
Flowing the Original Caller
Calling CoImpersonateClient
More Information
RPC Encryption
More Information
Building Serviced Components
DLL Locking Problems
Versioning
More Information
QueryInterface Exceptions
DCOM and Firewalls
More Information
Calling Serviced Components from ASP.NET
Caller’s Identity
Use Windows Authentication and Impersonation Within the Web-based Application
Configure Authentication and Impersonation within Machine.config
Configuring Interface Proxies
More Information
Security Concepts
Enterprise Services (COM+) Roles and .NET Roles
Authentication
Authentication Level Promotion
Authentication Level Negotiation
More Information
Impersonation
Cloaking
More Information
Summary
10. Web Services Security
Web Service Security Model
Platform/Transport Level (Point-to-Point) Security
When to Use
Application Level Security
When to Use
Message Level (End-to-End) Security
When to Use
The Web Services Development Kit
More Information
Platform/Transport Security Architecture
Gatekeepers
More Information
Authentication and Authorization Strategies
Windows Authentication with Impersonation
Configurable Security
Programmatic Security
When to Use
More Information
Windows Authentication without Impersonation
Configurable Security
Programmatic Security
When to Use
More Information
Windows Authentication Using a Fixed Identity
When to Use
More Information
Configuring Security
Configure IIS Settings
Configure ASP.NET Settings
More Information
Secure Resources
Disable HTTP-GET, HTTP-POST
More Information
Secure Communication
More information
Passing Credentials for Authentication to Web Services
Specifying Client Credentials for Windows Authentication
Using DefaultCredentials
Using Specific Credentials
Request a Specific Authentication Type
Set the PreAuthenticate Property
Using the ConnectionGroupName Property
Calling Web Services from Non-Windows Clients
Proxy Server Authentication
Flowing the Original Caller
Default Credentials with Kerberos Delegation
Configuring the Web Server
Configuring the Remote Application Server
More Information
Explicit Credentials with Basic or Forms Authentication
Basic Authentication
Forms Authentication
Configuring the Web Server
Configuring the Application Server
Trusted Subsystem
Flowing the Caller’s Identity
Configuration Steps
Configuring the Web Server
Configuring the Application Server
Accessing System Resources
Accessing Network Resources
Accessing COM Objects
More Information
Using Client Certificates with Web Services
Authenticating Web Browser Clients with Certificates
Using the Trusted Subsystem Model
Solution Implementation
Why Use an Additional Process?
More Information
Secure Communication
Transport Level Options
Message Level Options
More Information
Summary
11. .NET Remoting Security
.NET Remoting Architecture
Remoting Sinks
Transport Channel Sinks
Comparing Transport Channel Sinks
Custom Sinks
Formatter Sinks
Anatomy of a Request When Hosting in ASP.NET
ASP.NET and the HTTP Channel
More Information
.NET Remoting Gatekeepers
Authentication
Hosting in ASP.NET
Hosting in a Windows Service
Custom Authentication
More Information
Authorization
Using File Authorization
More Information
Authentication and Authorization Strategies
More Information
Accessing System Resources
Accessing Network Resources
Passing Credentials for Authentication to Remote Objects
Specifying Client Credentials
Using DefaultCredentials
Explicit Configuration
Programmatic Configuration
Using Specific Credentials
Request a Specific Authentication Type
Set the preauthenticate Property
Using the connectiongroupname Property
Flowing the Original Caller
Default Credentials with Kerberos Delegation
Configuring the Web Server
Configuring the Remote Application Server
More Information
Explicit Credentials with Basic or Forms Authentication
Basic Authentication
Forms Authentication
Configuring the Web Server
Configuring the Application Server
Trusted Subsystem
Flowing the Caller’s Identity
Choosing a Host
Configuration Steps
Configuring the Web Server
Configuring the Application Server
Using a Windows Service Host
Secure Communication
Platform Level Options
Message Level Options
More Information
Choosing a Host Process
Recommendation
Hosting in ASP.NET
Advantages
Disadvantages
Hosting in a Windows Service
Advantages
Disadvantages
Hosting in a Console Application
Advantages
Disadvantages
Remoting vs. Web Services
Summary
12. Data Access Security
Introducing Data Access Security
SQL Server Gatekeepers
Trusted Subsystem vs. Impersonation/Delegation
Authentication
Windows Authentication
More Information
Using Windows Authentication
Recommendation
Using the ASP.NET Process Identity
Use Mirrored ASPNET Local Accounts
Use Mirrored, Custom Local Accounts
Use a Custom Domain Account
Implementing Mirrored ASPNET Process Identity
Connecting to SQL Server Using Windows Authentication
Using Fixed Identities within ASP.NET
Using Serviced Components
Calling LogonUser and Impersonating a Specific Windows Identity
Using the Original Caller’s Identity
Using the Anonymous Internet User Account
More Information
When Can’t You Use Windows Authentication?
SQL Authentication
Connection String Types
More Information
Choosing a SQL Account for Your Connections
Passing Credentials over the Network
Securing SQL Connection Strings
Authenticating Against Non-SQL Server Databases
Authorization
Using Multiple Database Roles
Secure Communication
The Options
Choosing an Approach
More Information
Connecting with Least Privilege
The Database Trusts the Application
The Database Trusts Different Roles
The Database Trusts the Original Caller
Creating a Least Privilege Database Account
Storing Database Connection Strings Securely
The Options
Using DPAPI
Why Not LSA?
Machine Store vs. User Store
DPAPI Implementation Solutions
Using DPAPI from Enterprise Services
Using DPAPI Directly from ASP.NET
More Information
Using Web.config and Machine.config
Using UDL Files
ACL Granularity
More Information
Using Custom Text Files
Using the Registry
More Information
Using the COM+ Catalog
More Information
Authenticating Users against a Database
Store One-way Password Hashes (with Salt)
Creating a Salt Value
Creating a Hash Value (with Salt)
More Information
SQL Injection Attacks
The Problem
Anatomy of a SQL Script Injection Attack
The Solution
Additional Best Practices
Protecting Pattern Matching Statements
Auditing
Process Identity for SQL Server
Summary
13. Troubleshooting Security Issues
Process for Troubleshooting
Searching for Implementation Solutions
Troubleshooting Authentication Issues
IIS Authentication Issues
Using Windows Authentication
Using Forms Authentication
Kerberos Troubleshooting
Troubleshooting Authorization Issues
Check Windows ACLs
Check Identity
More Information
Check the <authorization> Element
ASP.NET
Enable Tracing
More Information
Configuration Settings
Determining Identity
Determining Identity in a Web Page
Determining Identity in a Web service
More Information
Determining Identity in a Visual Basic 6 COM Object
.NET Remoting
More Information
SSL
More Information
IPSec
Auditing and Logging
Windows Security Logs
More Information
SQL Server Auditing
Sample Log Entries
IIS Logging
Troubleshooting Tools
File Monitor (FileMon.exe)
More Information
Fusion Log Viewer (Fuslogvw.exe)
ISQL.exe
Connecting Using SQL Authentication
Connecting Using Windows Authentication
Running a Simple Query
Windows Task Manager
Network Monitor (NetMon.exe)
More Information
Registry Monitor (regmon.exe)
WFetch.exe
More Information
Visual Studio .NET Tools
More Information
WebServiceStudio
Windows 2000 Resource Kit
Index of How Tos
ASP.NET
Authentication and Authorization
Cryptography
Enterprise Services Security
Web Services Security
Remoting Security
Secure Communication
How To: Create a Custom Account to Run ASP.NET
ASP.NET Worker Process Identity
Impersonating Fixed Identities
Notes
Summary
1. Create a New Local Account
2. Assign Minimum Privileges
3. Assign NTFS Permissions
4. Configure ASP.NET to Run Using the New Account
How To: Use Forms Authentication with Active Directory
Requirements
Summary
1. Create a Web Application with a Logon Page
2. Configure the Web Application for Forms Authentication
3. Develop LDAP Authentication Code to Look Up the User in Active Directory
4. Develop LDAP Group Retrieval Code to Look Up the User’s Group Membership
5. Authenticate the User and Create a Forms Authentication Ticket
6. Implement an Authentication Request Handler to Construct a GenericPrincipal Object
7. Test the Application
How To: Use Forms Authentication with SQL Server 2000
Requirements
Summary
1. Create a Web Application with a Logon Page
2. Configure the Web Application for Forms Authentication
3. Develop Functions to Generate a Hash and Salt value
4. Create a User Account Database
5. Use ADO.NET to Store Account Details in the Database
6. Authenticate User Credentials Against the Database
7. Test the Application
Additional Resources
How To: Create GenericPrincipal Objects with Forms Authentication
Requirements
Summary
1. Create a Web Application with a Logon Page
2. Configure the Web Application for Forms Authentication
3. Generate an Authentication Ticket for Authenticated Users
4. Construct GenericPrincipal and FormsIdentity Objects
5. Test the Application
Additional Resources
How To: Implement Kerberos Delegation for Windows 2000
Notes
Requirements
Summary
1. Confirm that the Client Account is Configured for Delegation
2. Confirm that the Server Process Account is Trusted for Delegation
References
How To: Implement IPrincipal
Requirements
Summary
1. Create a Simple Web Application
2. Configure the Web Application for Forms Authentication
3. Generate an Authentication Ticket for Authenticated Users
4. Create a Class that Implements and Extends IPrincipal
5. Create the CustomPrincipal Object
5. Test the Application
Additional Resources
How To: Create a DPAPI Library
Notes
Requirements
Summary
1. Create a C# Class Library
2. Strong Name the Assembly (Optional)
References
How To: Use DPAPI (Machine Store) from ASP.NET
Notes
Requirements
Summary
1. Create an ASP.NET Client Web Application
2. Test the Application
3. Modify the Web Application to Read an Encrypted Connection String from Web.Config
References
How To: Use DPAPI (User Store) from ASP.NET with Enterprise Services
Notes
Why Use Enterprise Services?
Why Use a Windows Service?
Requirements
Summary
1. Create a Serviced Component that Provides Encrypt and Decrypt Methods
2. Call the Managed DPAPI Class Library
3. Create a Dummy Class that will Launch the Serviced Component
4. Create a Windows Account to Run the Enterprise Services Application and Windows Service
5. Configure, Strong Name, and Register the Serviced Component
6. Create a Windows Service Application that will Launch the Serviced Component
7. Install and Start the Windows Service Application
8. Write a Web Application to Test the Encryption and Decryption Routines
9. Modify the Web Application to Read an Encrypted Connection String from an Application Configuration File
References
How To: Create an Encryption Library
Requirements
Summary
1. Create a C# Class Library
2. Create a Console Test Application
References
How To: Store an Encrypted Connection String in the Registry
Notes
Requirements
Summary
1. Store the Encrypted Data in the Registry
2. Create an ASP.NET Web Application
References
How To: Use Role-based Security with Enterprise Services
Notes
Requirements
Summary
1. Create a C# Class Library Application to Host the Serviced Component
2. Create the Serviced Component
3. Configure the Serviced Component
4. Generate a Strong Name for the Assembly
5. Build the Assembly and Add it to the Global Assembly Cache
6. Manually Register the Serviced Component
7. Examine the Configured Application
8. Create a Test Client Application
How To: Call a Web Service Using Client Certificates from ASP.NET
Why Use a Serviced Component?
Why is a User Profile Required?
Requirements
Summary
1. Create a Simple Web Service
2. Configure the Web Service Virtual Directory to Require Client Certificates
3. Create a Custom Account for Running the Serviced Component
4. Request a Client Certificate for the Custom Account
5. Test the Client Certificate Using a Browser
6. Export the Client Certificate to a File
7. Develop the Serviced Component Used to Call the Web Service
8. Configure and Install the Serviced Component
9. Develop a Web Application to Call the Serviced Component
Additional Resources
How To: Call a Web Service Using SSL
Requirements
Summary
1. Create a Simple Web Service
2. Configure the Web Service Virtual Directory to Require SSL
3. Test the Web Service Using a Browser
4. Install the Certificate Authority’s Certificate on the Client Computer
5. Develop a Web Application to Call the Web Service
Additional Resources
How To: Host a Remote Object in a Windows Service
Notes
Requirements
Summary
1. Create the Remote Object Class
2. Create a Windows Service Host Application
3. Create a Windows Account to Run the Service
4. Install the Windows Service
5. Create a Test Client Application
References
How To: Set Up SSL on a Web Server
Requirements
Summary
1. Generate a Certificate Request
2. Submit a Certificate Request
3. Issue the Certificate
4. Install the Certificate on the Web Server
5. Configure Resources to Require SSL Access
How To: Set Up Client Certificates
Requirements
Summary
1. Create a Simple Web Application
2. Configure the Web Application to Require Client Certificates
3. Request and Install a Client Certificate
4. Verify Client Certificate Operation
Additional Resources
How To: Use IPSec to Provide Secure Communication Between Two Servers
Notes
Requirements
Summary
1. Create an IP Filter
2. Create Filter Actions
3. Create Rules
4. Export the IPSec Policy to the Remote Computer
5. Assign Policies
6. Verify that it Works
Additional Resources
How To: Use SSL to Secure Communication with SQL Server 2000
Notes
Requirements
Summary
1. Install a Server Authentication Certificate
2. Verify that the Certificate Has Been Installed
3. Install the Issuing CA’s Certificate on the Client
4. Force All Clients to Use SSL
5. Allow Clients to Determine Whether to Use SSL
6. Verify that Communication is Encrypted
Additional Resources
Base Configuration
Configuration Stores and Tools
Reference Hub
Searching the Knowledge Base
Tips
.NET Security
Hubs
Active Directory
Hubs
Key Notes
Articles
ADO.NET
Roadmaps and Overviews
Seminars and WebCasts
ASP.NET
Hubs
Roadmaps and Overviews
Knowledge Base
Articles
How Tos
Seminars and WebCasts
Enterprise Services
Knowledge Base
Roadmaps and Overviews
How Tos
FAQs
Seminars and WebCasts
IIS (Internet Information Server)
Hubs
Remoting
Roadmaps and Overviews
How Tos
Seminars and WebCasts
SQL Server
Hubs
Seminars and WebCasts
Visual Studio .NET
Hubs
Roadmaps and Overviews:
Web Services
Hubs
Roadmaps and Overviews
How Tos
Seminars and WebCasts
Windows 2000
Hubs
How Does It Work?
IIS and ASP.NET Processing
Application Isolation
The ASP.NET ISAPI Extension
IIS 6.0 and Windows .NET Server
More Information
ASP.NET Pipeline Processing
The Anatomy of a Web Request
Forms Authentication Processing
Windows Authentication Processing
Event Handling
Implementing a Custom HTTP Module
Implementing a Custom HTTP Handler
ASP.NET Identity Matrix
Cryptography and Certificates
Keys and Certificates
X.509 Digital Certificates
Certificate Stores
More Information
Cryptography
Technical Choices
Cryptography in .NET
Symmetric Algorithm Support
Asymmetric Algorithm Support
Hashing Algorithm Support
Summary
.NET Web Application Security
Glossary
Microsoft® patterns & practices
Index
About the Author
Copyright
Search in book...
Toggle Font Controls
Playlists
Add To
Create new playlist
Name your new playlist
Playlist description (optional)
Cancel
Create playlist
Sign In
Email address
Password
Forgot Password?
Create account
Login
or
Continue with Facebook
Continue with Google
Sign Up
Full Name
Email address
Confirm Email Address
Password
Login
Create account
or
Continue with Facebook
Continue with Google
Prev
Previous Chapter
Index
Next
Next Chapter
Index
C
C#,
More Information
,
Notes
,
Create a C# Class Library
,
Summary
class libraries,
Notes
,
Create a C# Class Library
,
Summary
objects in COM+,
More Information
callers.,
ASP.NET and HttpContext.User
(see , )
CAPICOM objects,
Options for Storing Secrets in ASP.NET
CAS.,
Gatekeepers and Gates
(see )
case sensitivity,
Choosing a SQL Account for Your Connections
Certificate authentication,
ASP.NET Authentication Modes
,
Configure IIS Settings
,
Authenticating Web Browser Clients with Certificates
,
Authenticating Web Browser Clients with Certificates
,
SSL
,
How To: Set Up SSL on a Web Server
,
Submit a Certificate Request
,
How To: Set Up Client Certificates
,
How To: Use SSL to Secure Communication with SQL Server 2000
,
Keys and Certificates
,
Keys and Certificates
,
Keys and Certificates
,
Certificate Stores
browsers and,
Authenticating Web Browser Clients with Certificates
certificate stores,
Keys and Certificates
cryptography and,
Certificate Stores
(see also )
IIS settings,
Configure IIS Settings
issuing certificates,
Submit a Certificate Request
keys and certificates,
Keys and Certificates
setting up client certificates,
How To: Set Up Client Certificates
(see also )
SSL and,
How To: Set Up SSL on a Web Server
,
How To: Use SSL to Secure Communication with SQL Server 2000
(see also , )
troubleshooting,
SSL
trusted subsystem model and,
Authenticating Web Browser Clients with Certificates
Windows authentication and,
ASP.NET Authentication Modes
X.509 digital certificates,
Keys and Certificates
Certificate Authority certificates,
Application Server to Database Server
,
Install the Certificate Authority’s Certificate on the Client Computer
,
How To: Set Up SSL on a Web Server
,
Requirements
,
Keys and Certificates
(see also , )
channel security.,
Secure Communication
(see )
channels, .NET remoting and,
.NET Remoting Security
,
Anatomy of a Request When Hosting in ASP.NET
,
Choosing a Host Process
check points.,
More Information
(see )
classes.,
Gatekeepers and Gates
,
WindowsPrincipal and WindowsIdentity
,
Security for Server and Library Applications
,
Adding Roles to an Application
,
Adding Roles to an Application
,
Adding Roles to a Method
,
How To: Implement IPrincipal
,
Call the Managed DPAPI Class Library
,
Summary
,
Technical Choices
(see also )
adding roles to,
Adding Roles to an Application
assigning roles to,
Security for Server and Library Applications
creating dummy, to launch serviced component,
Call the Managed DPAPI Class Library
creating remote object,
Summary
cryptography,
Technical Choices
interfaces.,
Adding Roles to an Application
(see )
IPrincipal interface.,
How To: Implement IPrincipal
(see )
methods.,
Adding Roles to a Method
(see )
principal and identity,
WindowsPrincipal and WindowsIdentity
client applications,
Use Windows Groups
,
Configure ASP.NET Settings
,
Disable HTTP-GET, HTTP-POST
,
Accessing Network Resources
,
Verify that the Certificate Has Been Installed
,
Force All Clients to Use SSL
allowing, to choose whether to use SSL,
Force All Clients to Use SSL
calling Web services from,
Disable HTTP-GET, HTTP-POST
configuring,
Use Windows Groups
forcing, to use SSL,
Verify that the Certificate Has Been Installed
specifying credentials to remote objects,
Accessing Network Resources
test, for Web services,
Configure ASP.NET Settings
client certificates,
Application Server to Database Server
,
Configure IIS Settings
,
Passing Credentials for Authentication to Web Services
,
Accessing Network Resources
,
Accessing Network Resources
,
SSL
,
How To: Call a Web Service Using Client Certificates from ASP.NET
,
Install the Certificate Authority’s Certificate on the Client Computer
,
How To: Set Up Client Certificates
,
How To: Set Up Client Certificates
,
Create a Simple Web Application
,
Create a Simple Web Application
,
Configure the Web Application to Require Client Certificates
,
Request and Install a Client Certificate
(see also , )
configuring Web application to require,
Create a Simple Web Application
creating simple Web application,
Create a Simple Web Application
IIS settings,
Configure IIS Settings
installing,
Install the Certificate Authority’s Certificate on the Client Computer
requesting and installing,
Configure the Web Application to Require Client Certificates
requirements,
How To: Set Up Client Certificates
SSL and,
Application Server to Database Server
,
SSL
,
How To: Call a Web Service Using Client Certificates from ASP.NET
(see also )
verifying operation of,
Request and Install a Client Certificate
Web services and.,
Accessing Network Resources
(see )
Web services proxies and,
Passing Credentials for Authentication to Web Services
client certificates, Web services security using,
Accessing Network Resources
,
Authenticating Web Browser Clients with Certificates
,
Authenticating Web Browser Clients with Certificates
,
How To: Call a Web Service Using Client Certificates from ASP.NET
,
How To: Call a Web Service Using Client Certificates from ASP.NET
,
Why Use a Serviced Component?
,
Requirements
,
Requirements
,
Create a Simple Web Service
,
Create a Custom Account for Running the Serviced Component
,
Create a Custom Account for Running the Serviced Component
,
Test the Client Certificate Using a Browser
,
Test the Client Certificate Using a Browser
,
Export the Client Certificate to a File
,
Develop the Serviced Component Used to Call the Web Service
,
Configure and Install the Serviced Component
authenticating browser clients,
Authenticating Web Browser Clients with Certificates
configuring and installing serviced component,
Develop the Serviced Component Used to Call the Web Service
configuring Web services virtual directory to require client certificates,
Create a Simple Web Service
creating custom account for serviced component,
Create a Custom Account for Running the Serviced Component
creating simple Web services,
Requirements
creating Web application to call serviced component,
Configure and Install the Serviced Component
developing serviced component to call Web services,
Export the Client Certificate to a File
exporting client certificate to file,
Test the Client Certificate Using a Browser
requesting client certificate for custom account,
Create a Custom Account for Running the Serviced Component
requirements,
Requirements
testing client certificate using browser,
Test the Client Certificate Using a Browser
user profiles and,
Why Use a Serviced Component?
using serviced component,
How To: Call a Web Service Using Client Certificates from ASP.NET
using trusted subsystem model,
Authenticating Web Browser Clients with Certificates
client-side proxies, .NET remoting,
Configuring the Web Server
,
Configuring the Web Server
,
Configuring the Web Server
clients.,
The Foundations
(see , )
cloaking,
Impersonation
CoCopyProxy,
Configuring Interface Proxies
Code Access Security (CAS),
Gatekeepers and Gates
,
Gatekeepers and Gates
,
Evidence and Security Policy
,
Security for Server and Library Applications
Enterprise Services and,
Security for Server and Library Applications
evidence and security policies,
Gatekeepers and Gates
Web applications and,
Evidence and Security Policy
CoImpersonateClient,
Accessing Network Resources
,
Using the Current Process Identity
,
Flowing the Original Caller
,
Authentication Level Negotiation
COM objects,
Accessing the Registry
,
Options for Storing Secrets in ASP.NET
,
Accessing Network Resources
,
Determining Identity in a Web service
accessing,
Accessing the Registry
,
Accessing Network Resources
cryptography and,
Options for Storing Secrets in ASP.NET
determining identity in Visual Basic 6,
Determining Identity in a Web service
COM+,
The Foundations
,
More Information
,
Options for Storing Secrets in ASP.NET
,
Enterprise Services Security
,
Development Time vs. Deployment Time Configuration
,
Using Custom Text Files
C# and VB .NET objects in,
More Information
catalog.,
Development Time vs. Deployment Time Configuration
(see )
constructor strings for storing secrets,
Options for Storing Secrets in ASP.NET
,
Using Custom Text Files
roles.,
The Foundations
(see )
services,
Enterprise Services Security
(see also )
COM+ catalog,
More Information
,
Development Time vs. Deployment Time Configuration
,
Security Concepts
,
Using Custom Text Files
configuration settings,
Development Time vs. Deployment Time Configuration
,
Security Concepts
Enterprise Services authorization and,
More Information
storing connection strings in,
Using Custom Text Files
COM, distributed.,
Development Time vs. Deployment Time Configuration
(see )
communication, secure.,
Secure Communication
(see )
Component Services tool,
More Information
,
Enterprise Services (COM+) Roles
,
Using IPSec
,
Gatekeepers and Gates
,
Development Time vs. Deployment Time Configuration
,
Use Windows Groups
,
Security Concepts
,
Using Custom Text Files
,
Build the Assembly and Add it to the Global Assembly Cache
assigning Windows accounts to roles,
Use Windows Groups
configuring security,
Development Time vs. Deployment Time Configuration
,
Security Concepts
examining configured applications,
Build the Assembly and Add it to the Global Assembly Cache
preventing COM+ catalog access,
Using Custom Text Files
role membership,
More Information
,
Enterprise Services (COM+) Roles
server settings,
Using IPSec
,
Gatekeepers and Gates
components,
Design Principles
,
Using the ASP.NET Process Identity
,
Development Time vs. Deployment Time Configuration
,
Adding Roles to an Application
adding roles to,
Adding Roles to an Application
authorization,
Development Time vs. Deployment Time Configuration
disabling,
Design Principles
serviced.,
Using the ASP.NET Process Identity
(see )
confidentiality,
Authorization
,
Secure Communication
,
Using Multiple Database Roles
,
How To: Call a Web Service Using SSL
,
How To: Use IPSec to Provide Secure Communication Between Two Servers
,
Certificate Stores
configurable security.,
Intranet Security
,
Windows Authentication with Impersonation
,
When to Use
,
Configurable Security
,
Configure IIS Settings
,
More Information
,
More Information
,
When to Use
,
When to Use
,
ASP.NET and the HTTP Channel
,
Using DefaultCredentials
(see also , )
.NET remoting,
ASP.NET and the HTTP Channel
,
Using DefaultCredentials
ASP.NET,
Configure IIS Settings
Forms authentication,
Configurable Security
Web services,
More Information
,
When to Use
Windows authentication with impersonation,
Windows Authentication with Impersonation
,
More Information
Windows authentication without impersonation,
When to Use
,
When to Use
configuration scenarios,
Secure the Scenario
,
The Result
,
The Result
,
The Result
,
ASP.NET to SQL Server
,
Using Integrated Windows Authentication at the Web Server
,
Security Configuration Steps
,
The Result
,
The Result
,
The Result
,
How To: Use DPAPI (User Store) from ASP.NET with Enterprise Services
,
Notes
,
Base Configuration
base software,
Base Configuration
Enterprise Services and DPAPI,
How To: Use DPAPI (User Store) from ASP.NET with Enterprise Services
extranet,
Security Configuration Steps
,
The Result
(see also )
Internet,
The Result
,
The Result
(see also )
intranet,
Secure the Scenario
,
The Result
,
The Result
,
The Result
,
ASP.NET to SQL Server
,
Using Integrated Windows Authentication at the Web Server
(see also )
IPSec,
Notes
configuration stores and tools,
Configuration Stores and Tools
,
Configuration Stores and Tools
,
Configuration Stores and Tools
,
Configuration Stores and Tools
,
Configuration Stores and Tools
,
Configuration Stores and Tools
,
Configuration Stores and Tools
.NET remoting,
Configuration Stores and Tools
ASP.NET,
Configuration Stores and Tools
Enterprise Services,
Configuration Stores and Tools
IIS,
Configuration Stores and Tools
SQL Server,
Configuration Stores and Tools
Web services,
Configuration Stores and Tools
configuration, Enterprise Services security,
Enterprise Services (COM+) Roles
,
Configuring Security
,
Configuring Security
,
Use Windows Groups
,
Configure Authentication
,
Calling Serviced Components from ASP.NET
,
Calling Serviced Components from ASP.NET
,
Configuring Interface Proxies
,
Create a Windows Account to Run the Enterprise Services Application and Windows Service
,
Develop the Serviced Component Used to Call the Web Service
client applications,
Use Windows Groups
Enterprise Services (COM+) roles,
Enterprise Services (COM+) Roles
impersonation levels,
Configure Authentication
interface proxies,
Calling Serviced Components from ASP.NET
security blanket settings,
Configuring Interface Proxies
server applications,
Configuring Security
serviced components,
Create a Windows Account to Run the Enterprise Services Application and Windows Service
,
Develop the Serviced Component Used to Call the Web Service
Windows authentication and impersonation,
Calling Serviced Components from ASP.NET
configuration.,
The Foundations
,
Design Principles
,
Using RPC Encryption
,
Intranet Security
,
Intranet Security
,
Intranet Security
,
Security Configuration Steps
,
Security Configuration Steps
,
The Result
,
Security Configuration Steps
,
Security Configuration Steps
,
Security Configuration Steps
,
The Result
,
The Result
,
The Result
,
Configurable Security
,
Programmatic Security
,
Configure IIS Settings
,
URL Authorization Examples
,
Secure Resources
,
Preventing Files from Being Downloaded
,
Development Steps for Forms Authentication
,
Passport Authentication
,
Passport Authentication
,
Development Time vs. Deployment Time Configuration
,
Configuring Security
,
Proxy Server Authentication
,
Flowing the Original Caller
,
Choosing a Host
,
Implementing Mirrored ASPNET Process Identity
,
Implementing Mirrored ASPNET Process Identity
,
Check Identity
,
Enable Tracing
,
Configure the Web Application for Forms Authentication
,
Create a Web Application with a Logon Page
,
Create a Web Application with a Logon Page
,
Create a Simple Web Application
,
Create a Simple Web Service
,
Summary
,
Install the Certificate on the Web Server
,
Create a Simple Web Application
,
How To: Use IPSec to Provide Secure Communication Between Two Servers
,
Verify that the Certificate Has Been Installed
,
Base Configuration
,
Configuration Stores and Tools
(see also , )
.NET remoting security,
Flowing the Original Caller
,
Choosing a Host
ASPNET account,
Intranet Security
(see also )
authentication level,
Using RPC Encryption
data,
The Foundations
default settings,
Design Principles
,
Implementing Mirrored ASPNET Process Identity
deployment time vs. development time,
Development Time vs. Deployment Time Configuration
Enterprise Services security.,
Intranet Security
(see )
extranet scenarios,
Security Configuration Steps
,
The Result
files.,
Passport Authentication
(see , , )
Forms authentication,
Configurable Security
,
Development Steps for Forms Authentication
,
Configure the Web Application for Forms Authentication
,
Create a Web Application with a Logon Page
,
Create a Web Application with a Logon Page
,
Create a Simple Web Application
IIS security,
Configure IIS Settings
Internet scenarios,
The Result
,
The Result
intranet scenarios,
Security Configuration Steps
,
Security Configuration Steps
,
The Result
,
Security Configuration Steps
,
Security Configuration Steps
IPSec,
How To: Use IPSec to Provide Secure Communication Between Two Servers
locking,
Secure Resources
Passport authentication,
Passport Authentication
requiring client certificates,
Create a Simple Web Application
resetting ASP.NET default,
Implementing Mirrored ASPNET Process Identity
resources to require SSL access,
Install the Certificate on the Web Server
scenarios.,
Base Configuration
(see )
secure communication,
Preventing Files from Being Downloaded
secure resource,
URL Authorization Examples
SSL,
Verify that the Certificate Has Been Installed
stores and tools.,
Configuration Stores and Tools
(see )
troubleshooting ASP.NET,
Enable Tracing
troubleshooting authorization,
Check Identity
Web application security,
Programmatic Security
Web services security,
Configuring Security
,
Proxy Server Authentication
,
Create a Simple Web Service
,
Summary
connected landscape,
Introduction
connection pooling,
Disadvantages of the Impersonation / Delegation Model
connection strings,
Storing Secrets
,
Securing SQL Session State
,
Introducing Data Access Security
,
Connection String Types
,
Choosing a SQL Account for Your Connections
,
Storing Database Connection Strings Securely
,
Storing Database Connection Strings Securely
,
Using DPAPI Directly from ASP.NET
,
Using DPAPI Directly from ASP.NET
,
Using Custom Text Files
,
Using Custom Text Files
,
Using Custom Text Files
,
Modify the Web Application to Read an Encrypted Connection String from Web.Config
,
Write a Web Application to Test the Encryption and Decryption Routines
,
How To: Store an Encrypted Connection String in the Registry
reading encrypted, from Web.config file,
Modify the Web Application to Read an Encrypted Connection String from Web.Config
,
Write a Web Application to Test the Encryption and Decryption Routines
secure storage of,
Introducing Data Access Security
,
Storing Database Connection Strings Securely
securing,
Securing SQL Session State
,
Choosing a SQL Account for Your Connections
SQL authentication and,
Storing Secrets
,
Connection String Types
storing encrypted, in registry,
Using Custom Text Files
,
How To: Store an Encrypted Connection String in the Registry
storing encrypted, with DPAPI,
Storing Database Connection Strings Securely
storing, in COM+ catalog,
Using Custom Text Files
storing, in configuration files,
Using DPAPI Directly from ASP.NET
storing, in custom text files,
Using Custom Text Files
storing, in UDL files,
Using DPAPI Directly from ASP.NET
connectiongroupname property,
Using the ConnectionGroupName Property
,
Request a Specific Authentication Type
console applications,
Hosting in a Windows Service
,
Create a Console Test Application
,
Create a Test Client Application
creating, to test encryption library,
Create a Console Test Application
creating, to test remote object hosting,
Create a Test Client Application
remote object hosting in,
Hosting in a Windows Service
contexts, security,
Design Principles
,
Evidence and Security Policy
,
ASP.NET and HttpContext.User
,
ASP.NET and HttpContext.User
,
Disadvantages of the Trusted Subsystem Model
,
Checking Role Membership
,
Hosting in a Windows Service
,
ASP.NET Identity Matrix
ASP.NET.,
ASP.NET and HttpContext.User
(see )
delegating,
Design Principles
(see also )
flowing.,
Disadvantages of the Trusted Subsystem Model
(see )
WindowsThread.CurrentPrincipal property,
Evidence and Security Policy
,
ASP.NET and HttpContext.User
,
Checking Role Membership
,
Hosting in a Windows Service
,
ASP.NET Identity Matrix
ContextUtil class,
Programmatic Security
cookie replay attacks,
Authorize the User Based on User Name or Role Membership
cookies,
ASP.NET Authentication Modes
,
Forms Authentication
,
Retrieve a Role List from the Custom Data Store
,
Forms Implementation Guidelines
,
Securing Session and View State
,
Using Forms Authentication
,
Develop LDAP Group Retrieval Code to Look Up the User’s Group Membership
,
Create a Web Application with a Logon Page
,
Generate an Authentication Ticket for Authenticated Users
cookieless Forms authentication,
Forms Implementation Guidelines
Forms authentication tickets,
ASP.NET Authentication Modes
,
Forms Authentication
,
Retrieve a Role List from the Custom Data Store
,
Develop LDAP Group Retrieval Code to Look Up the User’s Group Membership
,
Create a Web Application with a Logon Page
,
Generate an Authentication Ticket for Authenticated Users
securing,
Securing Session and View State
troubleshooting,
Using Forms Authentication
CoQueryProxyBlanket,
Configuring Interface Proxies
CoRevertToSelf,
Flowing the Original Caller
,
Impersonation
corporate network extranet connectivity,
Pitfalls
CoSetProxyBlanket,
Configuring Interface Proxies
credentials.,
Authorization
,
Authentication
,
Role Checking Examples
,
Intranet Security
,
An Authorization Pattern
,
Development Steps for Forms Authentication
,
Using the Default ASPNET Account
,
The <processModel> Element
,
Storing Secrets
,
Disable HTTP-GET, HTTP-POST
,
Using Specific Credentials
,
Flowing the Original Caller
,
Forms Authentication
,
Accessing Network Resources
,
Using DefaultCredentials
,
Flowing the Original Caller
,
Configuring the Remote Application Server
,
Introducing Data Access Security
,
Choosing a SQL Account for Your Connections
,
Using the COM+ Catalog
,
.NET Remoting
(see also , )
data access,
Introducing Data Access Security
(see also )
default, with Kerberos delegation,
Flowing the Original Caller
,
Flowing the Original Caller
encrypting,
Intranet Security
explicit, with Basic or Forms authentication,
Forms Authentication
,
Configuring the Remote Application Server
in Machine.config file,
Using the Default ASPNET Account
logon,
Authorization
passing, over networks,
Choosing a SQL Account for Your Connections
passing, to remote objects,
Accessing Network Resources
passing, to Web services,
Disable HTTP-GET, HTTP-POST
retrieving and validating,
An Authorization Pattern
,
Development Steps for Forms Authentication
secret,
Storing Secrets
specific,
The <processModel> Element
,
Using Specific Credentials
,
Using DefaultCredentials
storing,
Role Checking Examples
troubleshooting .NET remoting,
.NET Remoting
validating, against database stores,
Using the COM+ Catalog
Crypto API,
Options for Storing Secrets in ASP.NET
,
How To: Create a DPAPI Library
cryptography,
Authentication
,
Options for Storing Secrets in ASP.NET
,
Using the COM+ Catalog
,
Keys and Certificates
,
Keys and Certificates
,
Keys and Certificates
,
Keys and Certificates
,
Certificate Stores
,
Technical Choices
,
Symmetric Algorithm Support
,
Symmetric Algorithm Support
,
Asymmetric Algorithm Support
(see also , )
.NET Framework support,
Options for Storing Secrets in ASP.NET
,
Technical Choices
asymmetric algorithm support,
Symmetric Algorithm Support
certificate stores,
Keys and Certificates
certificates and keys,
Keys and Certificates
(see also )
hashing alogorithm support,
Asymmetric Algorithm Support
Integrated Windows authentication and,
Authentication
password hashes with salt values,
Using the COM+ Catalog
symmetric algorithm support,
Symmetric Algorithm Support
technical choices,
Certificate Stores
X.509 digital certificates,
Keys and Certificates
CryptProtectData and CryptUnprotectData,
Storing Database Connection Strings Securely
,
How To: Create a DPAPI Library
custom accounts.,
Custom Authentication
(see )
custom authentication,
ASP.NET Authentication Modes
,
More Information
,
Custom Authentication
,
Hosting in a Windows Service
,
Advantages
custom channels,
Transport Channel Sinks
custom HTTP modules and HTTP handlers,
Implementing a Custom HTTP Module
custom identities,
Choose the Identities Used for Resource Access
custom sinks,
Transport Channel Sinks
custom text files, storing connection strings in,
Using Custom Text Files
Add Highlight
No Comment
..................Content has been hidden....................
You can't read the all page of ebook, please click
here
login for view all page.
Day Mode
Cloud Mode
Night Mode
Reset